Hey PMC members.
I noticed that the webmaster provisioned Bugzilla products for many of the EE4J Projects. I'm pretty sure that, other than EclipseLink and Eclipse Yasson, none of the projects are actually using them (note that, I'm taking steps to fill
the apparent gap in our process that caused this to happen).
The full list of Bugzilla records created against EE4J projects other than EclipseLink and Eclipse Yasson is
here.
There are a handful of security issues reported there. I'm moving them to the "Vulnerability Reports" component, adding project leads in cc, and marking them as "committers only" to reduce the level of disclosure while they are addressed.
I'm pretty sure that we'll be left with a bunch of empty Bugzilla products that will serve only to confuse the community (as most of the projects are using GitHub Issues, and probably don't even know that this is here).
Unless there is any objection, I'm going to open a bug to request that Webmaster remove the Bugzilla presence for all but EclipseLink and Eclipse Yasson.
Note that Bugzilla is available as a means of capturing and managing the disclosure process with some discretion (it provides the ability to temporarily hide issues, while GitHub Issues does not).
--
Wayne Beaton
Director of Open Source Projects |
Eclipse Foundation, Inc.